What's New in Apache Ranger
The following new features and enhancements are generally available for Ranger customers in Cloudera Runtime 7.1.9:
Ranger Replication
You can create Ranger replication policies in CDP Private Cloud Base Replication Manager. The Ranger replication policies migrate the Ranger policies, roles, and tags for HDFS, Hive, and HBase services between Kerberos-enabled CDP Private Cloud Base 7.1.9 or higher clusters using Cloudera Manager 7.11.3. It can also migrate Ranger audit logs in HDFS. For more information, see the topics at: Ranger replication policies.
Ranger Usersync option to update group memberships when same users and groups are synced from multiple sync sources
Ranger Usersync now provides an option for customers to treat users/groups from multiple sync sources as the same for updating group memberships. For more information, see the updated topic: Configuring Usersync to sync directly with LDAP/AD.
HA support for Ranger Tag Sync/User Sync
Ranger now supports high availability for Ranger Tag Sync/User Sync. Configuring high availability adds another instance of each role to an additional host, which host continues to run the features if the default host fails. For more information, see Configuring Ranger Usersync and Tagsync High Availability.
New Ranger API to collect metrics in Ranger Admin
Ranger now provides two APIs to fetch ranger admin metrics. One returns a response in JSON format and the other returns a response in prometheus-compatible format. For more information, see Ranger Admin Metrics API.
New Ranger APIs to import/export roles in Ranger Admin
Ranger now includes APIs to import and export roles. For more information, see Ranger REST API documentation.
Ranger HDFS plugin option to view permissions through getfacl interface when Ranger RMS (Hive-HDFS ACL Sync) is enabled
You can configure the Ranger HDFS plugin to view user accees permissions in a manner similar to the HDFS getfacl command after migratng from CDH to CDP. This change is just a way to see the permissions. There is NO change in the way Ranger RMS (Hive-HDFS ACL Sync) enforces permissions. For more information, see Configuring HDFS plugin to view permissions through getfacl interface.
Ranger RMS support for Ozone
In CDP 7.1.9, Ranger RMS will support authorization for Ozone storage locations. RMS for Ozone will co-exist with Hive-HDFS ACL sync and provide authorization for both HDFS and Ozone file systems. For more information, see the updated topics and examples throughout: About Ranger RMS for Ozone.
Add support for enabling audit file accumulation
You can enable and configure alerts for Ranger plugin-supported services through Cloudera Manager. Such alerts notify when audit spool files accumulate in the spool directories for Solr and HDFS. For more information, see Configuring audit spool alert notifications.
Add support for additional methods in RangerKafkaAuthorizer
RangerKafkaAuthorizer includes ACL APIs that refer to Ranger Policies when these commands are executed. Ranger relies on the grant, revoke and policy engine APIs to cater the needed functionality. For more information, see Kafka ACL APIs support.
Add APIs to support force deletes of external users and groups from Ranger db
A Ranger database may (over)-populate with user and group records. To aid in removal of unnecessary users/groups, customers may use this feature to delete specific external user/groups or even all external users/groups if required. For more information, see Force deletion of external users and groups from the Ranger database.
Performance and Function Improvements
-
Provide workaround for Ranger RMS customers who may experience intermittent high RPC queue and processing time. For more information, see Ranger RMS field issues - HDFS latency.